The New Privacy Shield

Data Protection law in Ireland has been in a state of uncertainty since the Safe Harbour scheme, which governed transfers of data between the EU and the US, was declared invalid. On 8 July 2016 the Article 31 Committee (a committee comprised of representatives of Member States charged with making decision required by the Data Protection Directive) finally approved the new basis of transfers from the EU to the US - the Privacy Shield. In this article we look at the background as to how this came about and what it means for you.

Safe Harbour – Not So Safe!

Maximillian Schrems, from Austria, is a strong advocate of data protection rights for EU citizens. Following the revelations made by Edward Snowden concerning the US National Security Agency (“NSA”) Schrems lodged a complaint with our Data Protection Commissioner (“DPC”) as the data protection agency charged with overseeing Facebook and others in Europe. Snowden leaked information to the media about the surveillance methods carried out by the NSA which included extensive internet and phone surveillance including EU user data stored in the US.

Schrems argued that US law did not provide adequate protection to the processing of personal data. Our data protection legislation, which parallels the EU data protection directive, prohibits the transfer of personal data outside of the EEA unless that country or territory ensures

“an adequate level of protection for the privacy and the fundamental rights and freedoms of data subjects in relation to the processing of their personal data…”

The DPC held it could not investigate this complaint as the Safe Harbour scheme was a matter for the European Commission. Schrems commenced judicial review proceedings in the High Court.

The High Court turned to the Court of Justice of the European Union (“CJEU”) for guidance. Further details of the Hogan J’s decision from the High Court can be found in our previous article here.

CJEU Decision

The CJEU found Safe Harbour to be invalid which meant it could be no longer relied on. Thousands of Irish and other European companies relied on Safe Harbour to provide them with a means of transferring data outside of the EEA. Such transfers may be utilised to store or process data or to transfer data to the organisation’s service providers or group companies in the US.

The uncertainty in the intervening period from the CJEU decision to the 8th July required companies to rely on other grounds for transferring data to the US such as using the “Model Clauses” in data transfer agreements or relying on the explicit consent of the data subject.

Privacy Shield

The EU/US Privacy Shield is based on a “self-certification” by organisations to a set of privacy principles. By EU law, data must be:-

obtained and processed fairly;

kept only for one or more specified, explicit and lawful purpose;

used and disclosed only in ways compatible with these purposes;

kept safe and secure;

kept accurate, complete and up to date;

adequate, relevant and not excessive;

retained for no longer than is necessary for the purpose(s).

A copy of data held by an organisation must be provided to an individual on request.

The US and EU were faced with the difficult task of creating a system which offers safeguards which are “globally equivalent” to the safeguards enjoyed by EU citizens. The initial drafts were met with criticism, in particular by the Article 29 Working Party, a committee of EU privacy regulators, which set out a number of shortcomings following its review of the draft Privacy Shield. These included the lack of clarity, the absence of certain aspects of EU data protection law and the complexity of the redress mechanisms. It formulated some recommendations

The Privacy Shield, in its final form, promises to provide:-

more robust obligations on organisations to protect personal data;

greater measures for enforcement;

greater transparencies – including a public register of companies that have self-certified compliance with the Privacy Shield;

sanctions for non compliance;

tightening of controls for transfers of personal data;

clearer safeguards and transparency obligations – assurances will be provided by the US that there will be limitations and safeguards including no indiscriminate or mass surveillance by their agencies;

new redress procedures – the US will appoint an Ombudsman to deal with complaints and queries;

continuance monitoring of the effectiveness of the Privacy Shield including an annual summit and public reports.

Time will tell if the Privacy Shield provides the “adequate level of protection” to EU data subjects. Its critics are not hopeful.

Why does it matter to you?

As an individual

Data is an extremely valuable asset for an organisation. Every day organisations collect our data through our mobile phones and our web browsing whether on our computers, laptops or tablets. The age old saying “Nothing is Free” is more relevant now than ever. In return for downloading a “free” app we are providing these organisations with a mammoth amount of our data for them to analyse and sell on other companies which in turn use the data, for example, to analyse trends and for targeted advertising. Our personal data has a huge value and worth.

As an organisation

The Privacy Shield will be formally adopted in the coming weeks. Organisations who wish to transfer data to the US will need to ensure the organisation which receives the data is included on the Privacy Shield List. It is essential for organisations to have a data protection policy in place to set out how data is handled and processed in compliance with the law. Current data protection policies will need to be updated in accordance with the Privacy Shield.

A data access request can cost a company a huge amount of money and, if mismanaged, can involve an inordinate amount of time. We can assist you in responding to a data protection request.

A data protection breach, in particular the loss of sensitive information, needs to be managed effectively and efficiently, in particular to minimise reputational damage. We have acted for organisations in dealing with such breaches.

Organisations have obligations under data protection legislation to manage data they collect fairly and to comply with the law. On conviction under the data protection legislation a fine on indictment of up to €100,000 can be imposed.